Department gets rid of data where it did not have ‘explicit consent’ of users

HM Revenue and Customs has deleted the voiceprints of five million citizens from whom it failed to gain adequate consent.

In June 2018 a complaint was made to the Information Commissioner’s Office about the department’s use of “implied consent” to collect the voice identification data of people ringing HMRC helplines. 

Two months after this grievance was filed, the department implemented a new process in which voice data is only retained in cases where callers provide explicit to consent to do so. This change was made to ensure HMRC complied with its obligations under GDPR, according to a letter written by HMRC permanent secretary Jon Thompson and newly published online.

Related content

• HMRC voice ID scheme sees 160,000 opt-outs
• GDPR: Five things we will only discover after 25 May
• GDS expands use of voice recognition

Thompson added that the tax agency will also delete the voiceprints of the five million people who were enrolled in the voice ID scheme before October 2018, and have yet to call HMRC since then to confirm – or revoke – their consent.

The department is left with voice data on 1.5 million people who have called up during the last six months and expressly agreed to the new terms of service.

In the letter, which Thompson addressed to HMRC’s data protection officer Chris Franklin, the perm sec said that he was “satisfied that HMRC should continue to use Voice ID”. 

“It is popular with our customers, is a more secure way of protecting customer data, and enables us to get callers through to an adviser faster,” he said. “HMRC has worked hard to ensure the system complies with GDPR requirements around explicit consent and our published privacy notice already makes clear that we will not use voice identification data for any other purposes. In the interests of being transparent about the decisions we have made, I am arranging for this note to be made public and have advised the ICO accordingly.”